2.8
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.68
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Agent-AULS [Trj] | 20191007 | 18.4.3895.0 |
| Baidu | Win32.Trojan-Downloader.Waski.a | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20191007 | 2013.8.14.323 |
| McAfee | Upatre-FAEL!A4072169C56E | 20191007 | 6.0.6.653 |
| Tencent | None | 20191007 | 1.0.0.1 |
静态指标
查询计算机名称
(2 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545287.547375 GetComputerNameW |
computer_name:
TU-PC
|
success | 1 | 0 |
|
1727545287.906 GetComputerNameW |
computer_name:
TU-PC
|
success | 1 | 0 |
检查进程是否被调试器调试
(2 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545287.453375 IsDebuggerPresent |
failed | 0 | 0 | |
|
1727545287.844 IsDebuggerPresent |
failed | 0 | 0 |
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(1 个事件)
| section | .ap0x |
动态指标
分配可读-可写-可执行内存(通常用于自解压)
(2 个事件)
在 PE 资源中识别到外语
(10 个事件)
| name | RT_ICON | language | LANG_ZULU | filetype | None | sublanguage | SUBLANG_ARABIC_LIBYA | offset | 0x0000a17c | size | 0x00001ca8 | ||||||||||||||||||
| name | RT_ICON | language | LANG_ZULU | filetype | None | sublanguage | SUBLANG_ARABIC_LIBYA | offset | 0x0000a17c | size | 0x00001ca8 | ||||||||||||||||||
| name | RT_RCDATA | language | LANG_ZULU | filetype | None | sublanguage | SUBLANG_ARABIC_LIBYA | offset | 0x000053e0 | size | 0x00000a46 | ||||||||||||||||||
| name | RT_RCDATA | language | LANG_ZULU | filetype | None | sublanguage | SUBLANG_ARABIC_LIBYA | offset | 0x000053e0 | size | 0x00000a46 | ||||||||||||||||||
| name | RT_GROUP_ICON | language | LANG_ZULU | filetype | None | sublanguage | SUBLANG_ARABIC_LIBYA | offset | 0x0000be28 | size | 0x00000014 | ||||||||||||||||||
| name | RT_GROUP_ICON | language | LANG_ZULU | filetype | None | sublanguage | SUBLANG_ARABIC_LIBYA | offset | 0x0000be28 | size | 0x00000014 | ||||||||||||||||||
| name | RT_VERSION | language | LANG_ZULU | filetype | None | sublanguage | SUBLANG_ARABIC_LIBYA | offset | 0x0000be40 | size | 0x0000025c | ||||||||||||||||||
| name | RT_VERSION | language | LANG_ZULU | filetype | None | sublanguage | SUBLANG_ARABIC_LIBYA | offset | 0x0000be40 | size | 0x0000025c | ||||||||||||||||||
| name | RT_MANIFEST | language | LANG_ZULU | filetype | None | sublanguage | SUBLANG_ARABIC_LIBYA | offset | 0x0000c0a0 | size | 0x00000152 | ||||||||||||||||||
| name | RT_MANIFEST | language | LANG_ZULU | filetype | None | sublanguage | SUBLANG_ARABIC_LIBYA | offset | 0x0000c0a0 | size | 0x00000152 | ||||||||||||||||||
在文件系统上创建可执行文件
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\kyyjs.exe |
投放一个二进制文件并执行它
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\kyyjs.exe |
将可执行文件投放到用户的 AppData 文件夹
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\kyyjs.exe |
一个进程创建了一个隐藏窗口
(1 个事件)
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(1 个事件)
| section | {'name': 'UPX1', 'virtual_address': '0x00008000', 'virtual_size': '0x00002000', 'size_of_data': '0x00001a00', 'entropy': 7.393706635428362} | entropy | 7.393706635428362 | description | 发现高熵的节 | |||||||||
可执行文件使用UPX压缩
(2 个事件)
| section | UPX0 | description | 节名称指示UPX | ||||||
| section | UPX1 | description | 节名称指示UPX | ||||||
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 74.125.34.46 | |||
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 53 个反病毒引擎识别为恶意
(50 out of 53 个事件)
| ALYac | Gen:Trojan.Ipatre.1 |
| APEX | Malicious |
| AVG | Win32:Agent-AULS [Trj] |
| Acronis | suspicious |
| Ad-Aware | Gen:Trojan.Ipatre.1 |
| AhnLab-V3 | Downloader/Win32.Upatre.R291682 |
| Antiy-AVL | Trojan[Downloader]/Win32.Upatre |
| Arcabit | Trojan.Ipatre.1 |
| Avast | Win32:Agent-AULS [Trj] |
| Avira | TR/Crypt.XPACK.Gen |
| Baidu | Win32.Trojan-Downloader.Waski.a |
| BitDefender | Gen:Trojan.Ipatre.1 |
| CAT-QuickHeal | Trojan.UpatreRI.S7646295 |
| ClamAV | Win.Downloader.Upatre-6840800-0 |
| Comodo | TrojWare.Win32.TrojanDownloader.Upatre.AAL@5iclp5 |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.9c56ee |
| Cylance | Unsafe |
| DrWeb | Trojan.DownLoad3.34292 |
| ESET-NOD32 | Win32/TrojanDownloader.Waski.A |
| Emsisoft | Gen:Trojan.Ipatre.1 (B) |
| Endgame | malicious (moderate confidence) |
| F-Secure | Trojan.TR/Crypt.XPACK.Gen |
| FireEye | Generic.mg.a4072169c56ee123 |
| Fortinet | W32/Waski.A!tr |
| GData | Gen:Trojan.Ipatre.1 |
| Ikarus | Trojan.Win32.Bublik |
| Invincea | heuristic |
| Jiangmin | TrojanDownloader.Upatre.p |
| K7AntiVirus | Trojan ( 004bcce41 ) |
| K7GW | Trojan ( 004bcce41 ) |
| Kaspersky | Trojan-Downloader.Win32.Upatre.bla |
| MAX | malware (ai score=83) |
| Malwarebytes | Adware.IStartSurf |
| McAfee | Upatre-FAEL!A4072169C56E |
| McAfee-GW-Edition | BehavesLike.Win32.MultiDropper.pm |
| MicroWorld-eScan | Gen:Trojan.Ipatre.1 |
| Microsoft | TrojanDownloader:Win32/Upatre.AA |
| NANO-Antivirus | Trojan.Win32.Upatre.dfecyf |
| Panda | Trj/Upatre.N |
| Qihoo-360 | HEUR/QVM19.1.642F.Malware.Gen |
| Rising | Dropper.Dapato!8.2A2 (TFE:2:1rA9VijPqKK) |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/HkMain-AZ |
| Symantec | ML.Attribute.HighConfidence |
| Trapmine | malicious.high.ml.score |
| TrendMicro | TROJ_UPATRE.SM37 |
| TrendMicro-HouseCall | TROJ_UPATRE.SM37 |
| VBA32 | TrojanDownloader.Upatre |
| VIPRE | Trojan-Downloader.Win32.Cutwail.bza (v) |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
1973-03-03 18:25:35
PE Imphash
282845caafb77fe66ad750ccd3132121
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| UPX0 | 0x00001000 | 0x00007000 | 0x00005000 | 3.6955461579921596 |
| UPX1 | 0x00008000 | 0x00002000 | 0x00001a00 | 7.393706635428362 |
| .rsrc | 0x0000a000 | 0x00003000 | 0x00002400 | 3.965931796080329 |
| .ap0x | 0x0000d000 | 0x00000394 | 0x00000400 | 3.5466404850820186 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x0000a17c | 0x00001ca8 | LANG_ZULU | SUBLANG_ARABIC_LIBYA | None |
| RT_RCDATA | 0x000053e0 | 0x00000a46 | LANG_ZULU | SUBLANG_ARABIC_LIBYA | None |
| RT_GROUP_ICON | 0x0000be28 | 0x00000014 | LANG_ZULU | SUBLANG_ARABIC_LIBYA | None |
| RT_VERSION | 0x0000be40 | 0x0000025c | LANG_ZULU | SUBLANG_ARABIC_LIBYA | None |
| RT_MANIFEST | 0x0000c0a0 | 0x00000152 | LANG_ZULU | SUBLANG_ARABIC_LIBYA | None |
Imports
Library kernel32.dll:
• 0x403000 LoadLibraryA
• 0x403004 InterlockedIncrement
• 0x403008 InterlockedDecrement
• 0x40300c InterlockedExchange
• 0x403010 InitializeCriticalSection
• 0x403014 DeleteCriticalSection
• 0x403018 EnterCriticalSection
• 0x40301c LeaveCriticalSection
• 0x403020 GetStartupInfoA
• 0x403024 GetModuleHandleA
Library MSVCRT.dll:
• 0x40302c _except_handler3
• 0x403030 _controlfp
• 0x403034 __set_app_type
• 0x403038 __p__fmode
• 0x40303c __p__commode
• 0x403040 _adjust_fdiv
• 0x403044 __setusermatherr
• 0x403048 _exit
• 0x40304c _initterm
• 0x403050 __getmainargs
• 0x403054 _acmdln
• 0x403058 exit
• 0x40305c _XcptFilter
Library USER32.dll:
• 0x403064 PostQuitMessage
• 0x403068 SendMessageA
• 0x40306c DestroyWindow
• 0x403070 DefWindowProcA
• 0x403074 CreateWindowExA
• 0x403078 UpdateWindow
• 0x40307c RegisterClassExA
• 0x403080 FindWindowA
• 0x403084 ShowWindow
• 0x403088 GetMessageA
• 0x40308c TranslateMessage
• 0x403090 DispatchMessageA
• 0x403094 IsIconic
L!This program cannot be run in DOS mode.
s@m_B5
@=6"@
YG+}p{
hSVWeo
$Tn0ou>"u:F
XPVSS#$Pi
bh=[NX
TEXMs_
xs,OSy
%lrrA;
b.'M;c
.gV'ohy
;7KMrmsf
"-IlVY
i6w/cGV
;fBwbfz
kaF0(kU3)=BE
o @(@vM_
^v\0z<
[@*|;"^B
pUf>y6
0r'&`^{=
uM>mDGQ
n[7F-s6<~wm]Dme
m"d%Ws
Lfx5*R
+[1e*+<48n
Z\!4$Qq$&
Zr}-Xk
m]EW|X$U
m\`\#y8_EUn
@gA3lC.a82
<kC#7dWMp}
<J{gVyF\\'j
|,!!*U_'!iQ
OUDvR{
7a-6hp
<~m:/o
oK[ztf
}6N_l}Y14_V
e#Y&UY
f8\B$!
#Ko0j!olQO
Cgx(PgKfT"p,`m:D
^rX%_B_%7zi#
^[%]*bF
}3h5Lj
za1X[[U]rjy
7xcLUZ1h
hSVWe3
EEP5dG@
EPEPEP
0u>"u:Fu
<"u>"u
> vFuj
bh=[NX
TEXMs_
xs,OSy
}z%lrrA;
b.'M;c
;7KMrmsf
"-IlVY
i6wcGVZ;fBwbfz
0(kU3)=BE
o @(@vM
OQdlr=aPt
\JrY}q
[@*|;"^B
pUf>t6
0r'&`^{=
uM>mDGQ
m"d%Ws
Lfx5*R
+9[1e*+
Z\!4$Qq$&
Zr}-Xk
kF]EW|X$U
m\`\#28_EUn
@gA3lC.a82
<kC#dWMp
$<J{gVyF\\'j
,!hGAi
|,!!*m
OUDvR{
^B9k*#
]JNnxC1
oK[ztf
6N_l}Y14x_
"wm^9fW}QO
B!olQON
Cgx(PmfT"p,`m:sD
^rX%_B_%7zi#
^[%]*bF
}3h5Ls$'8
( oJaH?
dWza1X[U]rjF
}imx^BLUZvh
zum:4G{2"[:_
sli^;a%
WVSQ~UXE
}ht }it
@@@@@@@
^B#lcTD*#
FG3@_^]
@@@@@@@@
@@@@@@@
@@@@@@
fZuSAVWAf9
GGEGGEM;r
@@@@@@
Riched32.dll
RichEdit
\.Z~+:M
W{8'+ZVV@@
sanander
crashes
posaltoufive
secondmasteng
corect
Mivissini romi
A-z{r\@
Style [
name: styleMainWnd
bg_col: sepia
Style [
name: stylePage
padding: 32 16
bg_col: transparent
Style [
name: styleNextDefault
parent: buttonDefault
border_width: 0
padding: 0 8
stroke_width: 0
fill: gray
bg_col: transparent
vert_align: center
Style [
name: styleNextMouseOver
parent: styleNextDefault
fill: black
Style [
name: styleStatus
parent: buttonDefault
bg_col: light gray
col: black
font_size: 8
font_weight: regular
padding: 3 0
border_width: 0
text_align: center
Style [
name: styleProgress
bg_col: light gray
col: light blue
ButtonVector [
name: nextButton
clicked: next
path: M0 0 L10 13 L0 ,26 Z
style_default: styleNextDefault
style_mouse_over: styleNextMouseOver
ButtonVector [
name: prevButton
clicked: prev
path: M10 0 L0, 13 L10 26 z
style_default: styleNextDefault
style_mouse_over: styleNextMouseOver
Button [
name: statusButton
style: styleStatus
ScrollBar [
name: progressScrollBar
style: styleProgress
cursor: hand
EbookPage [
name: page
style: stylePage
HorizontalLayout [
name: top
children [
prevButton self 1 bottom
page 1 1 top
nextButton self 1 center
VerticalLayout [
name: mainLayout
children [
top 1 1 top
progressScrollBar self 1 center
statusButton self 1 center
]Style [
name: styleMainWnd
bg_col: sepia
Style [
name: stylePage
padding: 32 16
bg_col: transparent
Style [
name: styleNextDefault
parent: buttonDefault
border_width: 0
padding: 0 8
stroke_width: 0
fill: gray
bg_col: transparent
vert_align: center
Style [
name: styleNextMouseOver
parent: styleNextDefault
fill: black
Style [
name: styleStatus
parent: buttonDefault
bg_col: light gray
col: black
font_size: 8
font_weight: regular
padding: 3 0
border_width: 0
text_align: center
Style [
name: styleProgress
bg_col: light gray
col: light blue
ButtonVector [
name: nextButton
clicked: next
path: M0 0 L10 13 L0 ,26 Z
style_default: styleNextDefault
style_mouse_over: styleNextMouseOver
ButtonVector [
name: prevButton
clicked: prev
path: M10 0 L0, 13 L10 26 z
style_default: styleNextDefault
style_mouse_over: styleNextMouseOver
Button [
name: statusButton
style: styleStatus
ScrollBar [
name: progressScrollBar
style: styleProgress
cursor: hand
EbookPage [
name: page
style: stylePage
HorizontalLayout [
name: top
children [
prevButton self 1 bottom
page 1 1 top
nextButton self 1 center
VerticalLayout [
name: mainLayout
children [
top 1 1 top
progressScrollBar self 1 center
statusButton self 1 center
LoadLibraryA
InterlockedIncrement
InterlockedDecrement
InterlockedExchange
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetStartupInfoA
GetModuleHandleA
_except_handler3
_controlfp
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
_XcptFilter
PostQuitMessage
SendMessageA
DestroyWindow
DefWindowProcA
CreateWindowExA
UpdateWindow
RegisterClassExA
FindWindowA
ShowWindow
GetMessageA
TranslateMessage
DispatchMessageA
IsIconic
`.rdata
@.data
i6w/cGV
;fBwbfz
kaF0(kU3)=BE
o @(@vM_
^v\0z<
[@*|;"^B
pUf>y6
0r'&`^{=
uM>mDGQ
n[7F-s6<~wm]Dme
m"d%Ws
Lfx5*R
+[1e*+<48n
Z\!4$Qq$&
Zr}-Xk
m]EW|X$U
m\`\#y8_EUn
@gA3lC.a82
<kC#7dWMp}
<J{gVyF\\'j
|,!!*U_'!iQ
OUDvR{
7a-6hp
<~m:/o
oK[ztf
}6N_l}Y14_V
e#Y&UY
f8\B$!
#Ko0j!olQO
Cgx(PgKfT"p,`m:D
^rX%_B_%7zi#
^[%]*bF
}3h5Lj
za1X[[U]rjy
7xcLUZ1h
zu4G{2"[:_K
5_0<=mZ=
sli^8;a%
4P&f&5
<v-=jt
WTujV?2
XjijhkE
lKwht
i1d?m=+
%L%\p?
{/5WaOf
#lc*Pr`H/
?[5XB.
Y@Y;^@>`or^;6c$
?<Y!/-
_RK$~*Da
u9H/&[RT
gQS]h"
o>IfH<O6KFJJ#
f+ol4n
fZuSGA{Af9
IMAc]I
oH7/d9=YS[$
_>MIx/h
@M@ C|
@,4Ml1
;17d?v
TB,i0
??Riche@2.dll
Edita \.Z~+:M
W{8'+ZVV`nm/
2zr4h2
3K2L&&dd2LL&d2-"
sander
crashes
poltoufive}[~d/secom(teng
M(issini romi
-z{r\@[
Style [
name: s
MainWnd
bg_col
_padd6g
32 16;tra)ns
rentANextDefaul#+
button
xborv_width
stroke
aKfil}gyvYs
Mt_align
O4letblackL[a
U`[;f+sizN8
hmkwe+
xPUfess
EBVv57sLnr
51w7ed
M0 L1aVn
m_oOa
1L0, X
@w 4029cje
<cursohRcDLE!;aoYL
-H;}vm
]lfA i
t bmoadLibraryA
Excuge
it'7izeCri[S1
Leav+]G@,rtupg>foA
ModuXHl[
_se/,pp_type
jusZo+fdiv7
\im#gsws
gs@cm(fso
XcFil+ndPobQu M
yWSdow
Regisel
*PuT5@WlHDG
sIVjPEl!L
H]U,/Wg
"'Ot_psrz.O$8
XPTPSWXaD$j
ie95he
GDGDFC
-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!
."3&3&3&3&3&3&3&3&3&3&3&3&3&3&3&3&3&3&3&3&3&3&3&3&3&3&3&3&3&3&."
0$5'5'5'5'5'5'5'5'3&5'5'5'5'3&3&3&5'5'5'3&5'5'5'5'5'5'5'5'5'5'0$
2%6(6(6(6(6(6(6(6(6(6(6(6(vp6(6(6(6(6(6(6(6(6(6(6(6(2%
4&9*9*9*9*9*9*9*9*6(6(7(9*}v9*9*9*9*9*9*9*9*9*9*9*9*4&
5'>/>/>/>/>/>/>/>/>/>/
x>/>/7(7(<.>/>/>/>/>/>/>/5'
7)D3D3D3D3D3D3D3D3[MD3D3C3D3D3D3D3D3D3D3D3D37)
>/H9H9H9H9H9H9H9H9G8qgH9G8
{H9H9H9H9H9H9H9H9H9H9H9H9>/
D4L=L=L=L=L=L=L=L=qhL=qhL=L=D4D4J<L=L=L=L=L=L=L=D4
K<RCRCRCRCRCRCRCRCRCRCRCRCRCRCRCRCRCRCK<
RCWHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWHRC
YJ\L\L\L\L\L\L\L\L\L\L\L\L\L\L\L\L\L\L\L\L\L\L\L\L\L\L\L\L\L\LYJ
_P_P{p{p{p{p{p{pxmxmvkvkvkvkvkvkvkvkvkvkvkvkvkvkvkvkvkvkvkvk_P_P
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo></assembly>
KERNEL32.DLL
MSVCRT.dll
USER32.dll
ExitProcess
GetProcAddress
LoadLibraryA
VirtualProtect
IsIconic
kernel32.dll
MSVCRT.dll
USER32.dll
LoadLibraryA
InterlockedIncrement
InterlockedDecrement
InterlockedExchange
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetStartupInfoA
GetModuleHandleA
_except_handler3
_controlfp
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
_XcptFilter
PostQuitMessage
SendMessageA
DestroyWindow
DefWindowProcA
CreateWindowExA
UpdateWindow
RegisterClassExA
FindWindowA
ShowWindow
GetMessageA
TranslateMessage
DispatchMessageA
IsIconic
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
5�A�1�3�3�2�B�6�
C�o�m�p�a�n�y�N�a�m�e�
J�i�n�e�J�o�n�g�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
J�i�n�e�J�o�n�g� �c�o�m�p�a�n�y�
F�i�l�e�V�e�r�s�i�o�n�
V�e�r�s�i�o�n� �2�.�5�.�2�3�
I�n�t�e�r�n�a�l�N�a�m�e�
J�i�n�e�J�o�n�g�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t� �b�y� �J�i�n�e�J�o�n�g�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
J�i�n�e�J�o�n�g�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
C�:�\�U�s�e�r�s�\�j�o�h�n�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�6�D�1�8�5�8�4�F�2�B�0�8�D�C�3�C�6�D�3�6�E�F�3�4�0�1�9�0�F�1�7�4�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�f�a�c�t�u�r�a�.�e�x�e�
C�:�\�7�9�6�4�2�9�d�6�e�2�a�9�7�e�8�6�a�0�a�f�e�a�6�7�f�b�5�d�8�2�5�c�4�4�8�5�c�b�d�c�8�3�1�4�a�d�c�b�9�3�7�2�3�4�7�d�6�4�1�d�c�3�3�6�
C�:�\�D�o�c�u�m�e�n�t�s� �a�n�d� �S�e�t�t�i�n�g�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�\�D�e�s�k�t�o�p�\�I�n�T�P�t�2�R�J�.�e�x�e�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�i�n�v�o�i�c�e�.�e�x�e�
C�:�\�4�a�d�3�3�f�1�1�d�0�b�d�3�d�6�2�a�5�5�5�e�c�4�e�0�7�1�4�5�5�5�9�8�0�4�d�f�6�9�c�c�f�0�3�e�c�1�5�1�b�d�a�3�0�5�1�6�c�9�3�a�6�d�3�
C�:�\�a�7�4�f�3�2�4�b�c�d�b�6�d�9�2�e�e�8�0�5�a�9�6�f�1�f�d�6�1�0�1�b�5�8�1�6�3�6�4�4�f�0�2�1�1�e�c�e�e�c�b�d�0�a�5�2�5�d�6�7�b�c�b�4�
C�:�\�a�a�2�7�c�8�9�d�4�e�c�7�e�9�a�7�5�1�3�7�0�8�7�7�a�9�9�a�3�a�8�c�7�6�f�9�4�e�f�0�d�a�e�0�f�5�1�8�4�a�c�3�2�a�4�7�d�6�6�6�7�4�f�f�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�k�y�y�j�s�.�e�x�e�
C�:�\�b�5�9�c�d�f�2�e�c�f�9�c�7�f�f�c�4�4�3�3�a�9�9�f�8�d�0�e�7�5�6�5�f�3�7�1�f�1�6�e�d�9�c�3�5�c�d�f�d�4�4�8�9�2�9�3�1�5�b�0�d�9�5�8�
C�:�\�7�3�e�6�d�4�e�e�a�a�e�6�1�7�2�e�4�a�8�9�6�b�a�4�a�1�c�4�f�a�5�a�2�a�d�9�7�1�2�0�b�7�0�b�2�6�4�d�5�c�4�8�d�8�3�a�d�f�5�4�a�9�0�c�
C�:�\�e�9�5�4�e�8�2�9�c�5�6�4�6�6�2�2�2�7�e�a�3�b�a�1�6�2�9�3�1�a�2�b�d�0�e�9�1�c�c�a�8�a�6�b�c�9�1�f�3�5�b�6�7�5�7�f�6�7�3�5�a�b�d�2�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�k�y�y�j�s�.�e�x�e�
C�:�\�b�d�a�b�a�b�d�4�b�a�a�7�f�6�b�d�f�b�8�5�5�5�4�7�0�d�6�f�3�7�6�b�1�d�f�9�7�2�f�a�e�e�2�3�1�e�6�9�c�2�9�a�c�a�0�b�9�c�a�3�4�0�d�4�
C�:�\�D�o�c�u�m�e�n�t�s� �a�n�d� �S�e�t�t�i�n�g�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�\�D�e�s�k�t�o�p�\�k�d�8�8�2�q�u�W�.�e�x�e�
C�:�\�6�5�6�a�a�5�7�3�a�e�a�a�f�7�d�0�a�4�b�a�a�6�e�2�4�0�5�5�0�d�e�9�9�3�5�8�5�3�b�b�0�2�6�d�2�0�1�c�9�f�8�a�9�f�c�a�6�4�a�b�6�8�1�b�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�k�y�y�j�s�.�e�x�e�
C�:�\�1�2�6�f�5�6�b�3�b�2�2�0�c�9�e�5�f�6�3�9�d�d�d�6�3�e�0�c�1�e�1�b�6�4�7�1�5�0�7�c�9�9�b�5�5�3�6�5�2�0�5�6�f�0�e�7�1�d�8�e�2�1�2�3�
C�:�\�b�e�3�e�8�7�2�8�6�8�0�3�5�0�d�b�c�1�8�d�3�3�6�5�5�e�e�3�7�1�3�4�6�0�0�f�7�5�9�e�d�f�d�8�9�7�7�0�6�f�1�4�d�2�8�c�2�b�9�f�2�3�e�0�
C�:�\�7�5�a�6�6�4�0�5�8�d�d�9�3�e�9�7�2�e�e�f�0�9�2�0�1�9�0�f�3�d�a�f�3�9�4�f�1�3�6�a�a�2�c�0�9�f�b�e�9�1�e�1�f�8�f�f�d�1�9�1�b�1�2�3�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�k�y�y�j�s�.�e�x�e�
C�:�\�0�d�b�9�7�d�6�8�9�3�d�8�8�e�d�8�5�1�8�a�f�f�6�b�b�b�c�c�5�2�2�e�d�6�0�3�c�0�f�b�3�7�c�1�0�5�f�f�2�8�3�7�0�2�2�5�b�e�9�9�b�1�9�a�
C�:�\�0�7�4�e�a�9�a�f�6�6�e�0�9�f�c�c�4�3�7�6�0�9�0�d�0�7�e�0�0�d�f�8�a�f�0�6�0�6�f�2�c�c�6�9�6�2�0�4�c�4�1�d�2�a�8�0�3�f�7�7�7�e�1�b�
C�:�\�b�e�6�0�a�7�4�d�4�d�a�e�d�d�2�b�8�0�1�6�6�4�7�1�a�9�7�d�5�f�c�0�c�8�1�0�1�5�9�c�3�e�8�b�1�d�5�7�e�7�2�a�8�8�e�f�0�7�5�8�9�1�e�8�
C�:�\�6�3�a�2�f�b�e�8�b�3�5�b�9�2�1�5�b�9�8�6�a�6�d�4�a�0�e�1�e�3�2�7�d�0�c�c�2�2�0�4�1�5�4�5�d�7�6�0�a�b�d�3�d�5�0�5�3�7�1�f�e�0�f�0�
C�:�\�U�s�e�r�s�\�P�e�t�r�a�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�k�y�y�j�s�.�p�e�3�2�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�1�c�3�a�2�7�7�c�0�2�e�3�e�a�d�5�_�k�y�y�j�s�.�e�x�e�
C�:�\�c�a�7�5�a�5�a�0�9�6�a�3�4�a�4�8�a�6�5�0�7�a�2�9�0�e�7�1�9�1�b�7�9�f�c�b�0�e�7�3�a�6�1�6�e�a�5�3�f�c�0�4�e�9�b�7�b�f�5�0�7�b�f�1�
C�:�\�5�b�1�0�b�e�1�9�b�f�d�7�c�e�7�3�0�f�e�3�f�f�9�5�7�d�6�2�9�5�5�1�f�8�6�8�7�a�1�f�f�b�6�e�4�b�1�3�f�0�6�5�8�f�f�7�b�8�5�1�c�1�2�4�
C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�D�o�w�n�l�o�a�d�s�\�k�y�y�j�s�.�e�x�e�
C�:�\�2�7�4�7�2�9�5�8�5�7�2�3�4�7�4�8�c�c�5�3�b�1�7�a�d�9�5�b�1�1�3�2�f�9�9�0�b�9�d�c�d�1�8�2�5�d�6�a�1�f�8�5�5�4�6�a�3�5�5�a�1�c�b�b�
Process Tree
-
03233e7c55091b7eb056290b44ac11f4d1dc9b4c1150a01f76630d59fc64c22d.exe (1064)
"C:\Users\Administrator\AppData\Local\Temp\03233e7c55091b7eb056290b44ac11f4d1dc9b4c1150a01f76630d59fc64c22d.exe"
- kyyjs.exe (920) "C:\Users\ADMINI~1\AppData\Local\Temp\kyyjs.exe"
Hosts
| IP |
|---|
| 74.125.34.46 |
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 74.125.34.46 | 80 | 192.168.56.101 | 49164 |
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | ff6c0f5a05b315ea_kyyjs.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\kyyjs.exe |
| Size | 44.3KB |
| Processes | 1064 (03233e7c55091b7eb056290b44ac11f4d1dc9b4c1150a01f76630d59fc64c22d.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
| MD5 | e7327ebad5fc69df71827bbd2cf9c15d |
| SHA1 | 8656c63b63ff0dba8d5b39c11f0ffe16c8583fe9 |
| SHA256 | ff6c0f5a05b315ea399df7500bab371a917ee72281e748b2f9a41ea321c92e39 |
| CRC32 | 64EE5AD9 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.